Re: Help developing an exploit


On Sat, 28 Apr 2007 21:46:08 -0400
"Webster Orkin" <webster.orkin@xxxxxxxxx> wrote:
The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character. Here's what I've found about what I can

(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)

from the address, it looks like your buffer is on the stack. Please ignore the
rest of this posting if that's not the case.
The obvious solution would be to look for a byte sequence 0xFFE4 (jmp esp) or
similar in memory mapped at addresses without 0x00 or other forbidden
characters in them. Since you say XML, I assume 0x3c, 0x2f and 0x3e wouldn't
be appreciated either. Once you find such an address, let EDX->EIP point
there, so execution will return to the stack.
You may try OllyDbg and for
finding specific byte sequences that may help you getting your code executed.


SABRE Labs GmbH | Felix 'FX' Lindner <fx@xxxxxxxxxxxxxx> | GSM: +49 171 7402062
Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05
10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner